Brief Summary

SQL Wildcard Attacks are about forcing the underlying database to carry out CPU intensive queries by using several wildcards. This vulnerability generally exists in search functionalities of the web applications. Successful exploitation of this attack will cause Denial of Service.

Description of the Issue

In a typical web application if you were to enter "foo" into the search box, the resulting SQL query might be:SELECT * FROM Article WHERE Content LIKE '%foo%'

In a decent database with 1-100000 records the query above will take less than a second. The following query, in the very same database, will take about 6 seconds with only 2600 records.

SELECT TOP 10 * FROM Article WHERE Content LIKE '%_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}£$&N%_)$*£()$*R"_)][%](%[x])%a][$*"£$-9]_%'

So, if an attacker wanted to tie up the CPU for 6 seconds they would enter the following to the search box:_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}£$&N%_)$*£()$*R"_)][%](%[x])%a][$*"£$-9]_

Black Box testing and example

Testing for SQL Wildcard Attacks:
Craft a query which will not return a result and includes several wildcards. Send this data through the search feature of the application. If the application takes more time than a usual search, it is vulnerable.